As you and Mark stated the possibility of grabbing control of a widget that
is already installed is far more likely to be used, and a good target would
be the default weather widget that is on by default.

It would be nice if Apple made it easy to turn off dashboard, or even
require people to turn it on if they want to use it. This could be said for
a few other 'processes'/'features' that are on by default.

> Actually, it is worse than that. This is not just a problem because
> people download untrusted widgets.
>
> The real problem is that even a trusted widget can be compromised.
> Much like using 'trusted' software like Second Life, then getting
> hacked via Quicktime, you could use a 'trusted' widget that accesses
> web content. In the case of Twitter, or other Web 2.0 apps, the
> content being accessed by the widget could be anything an imaginative
> user can come up with. And that could compromise the widget much like
> the Quicktime bug compromises Second Life's client software.
>
> It should be possible to secure the widget by sanity-checking the web
> content it retrieves [which Second Life can't do in my not-completely-
> comparable comparison, because it is actually Quicktime getting
> hacked, not SL].
>
> On 5 Dec 2007, at 13:27, Don wrote:
>
>> That does sound bad. It relies on people downloading and installing
>> widgets
>> from an unknown source, which would probably be the biggest area
>> this would
>> be exploited; which is much easier than installing a programs since
>> it does
>> not even ask for a password to install widgets.
>>
>> Now if someone could take over a widget after it has been installed,
>> that
>> would be another issue, i.e. the any of the 'default' widgets. That
>> would
>> greatly increase the seriousness of this threat.
>>
>> All roads lead back to operating your Mac with an non-administrator
>> account.
>> If the attack was via hijacking an already installed widget and you
>> were
>> running under a non-privileged account that should 'protect' the
>> system
>> somewhat. However if it was through a bad widget that is going to be
>> installed only your fingers can truly stop that.
>>
>> Hopefully I am not too far off base on this.
>>
>> --
>> Don
>>
>>
>> On 12/4/07 1:21 PM, "Todd Woodward" <todd_woodward (at) symantec (dot) com [email concealed]>
>> wrote:
>>
>>> Over on bugtraq, there's an interesting new thread regarding
>>> vulnerabilities
>>> in Mac OSX widgets.
>>>
>>> http://www.securityfocus.com/archive/1/484542/30/0/threaded
>>> http://www.securityfocus.com/archive/1/484567/30/0/threaded
>>>
>>> Essentially, widgets can "relax the Dashboard's JavaScript sandbox
>>> to enable
>>> the widget.system() call, which indeed amounts to the equivalent of
>>> system(3);
>>> i.e., if an attacker can take over the widget, the attacker can
>>> take over the
>>> user's account
>>> (and, quite often, the system)."
>>>
>>>
>>> Security Response Researcher
>>> Focus-Apple Moderator
>>>
>>> ________________________________________
>>> Todd D. Woodward
>>> Technical Support Engineer
>>> NetBackup Support
>>> Symantec Corporation
>>> www.symantec.com
>>> Springfield, Oregon
>>> ________________________________________
>>> Office: 541-335-7441
>>> ________________________________________
>>>
>>>
>>
>>
>